There are several minor (contributory) XSS injection points if e.g. the user is able to set the URL of an icon used in certain components. The following locations are affected:

Table icons

Action icons

Embedded flash parameters and browser URL

ComboBox icons, input prompt and suggestion item text in popup width

calculation

Window icon

MenuBar icons

Exploiting most of these vulnerabilities requires e.g. that the user pastes snippets of attacker-written text to the application or the application developer uses user entered strings e.g. as icon names or URLs.